Posted
by
CmdrTaco
on Thursday December 16, 2010 @10:39AM
from the love-for-the-lousy dept.

itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."

Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me". It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.

If none of these work, register an account with a throwaway email address (mailinator etc.) and share it on bugmenot and its clones.

This seems like a good idea in theory, but it can backfire. For example, I used to use a particular email address for certain...less reputable sites. Since those sites occasionally do various email verification things, I had to check that email address every so often so I couldn't just throw it away. Over time, I started to use that address for more and more sites until I eventually remembered that address better than my actual email address. After that, it wasn't long before I instinctively started using is for *everything*.

Anyway, long story short my primary email address is now midgetgrannyhorseporn@donttellmywife.org.

There are several tools you can use to make the whole "required registration for everything" a little less annoying:

http://www.bugmenot.com/ [bugmenot.com] has usernames and passwords that people have submitted for a bunch of sites. Very handy when you want to read something in a web forum (or other site, but I've found forums to be the worst) that has really obnoxious registration requirements.

http://mytrashmail.com/ [mytrashmail.com] is an anonymous email service that lets you use a temporary email address, without requiring registrat

...use a password manager... I don't have any idea what most of my passwords are.

To me that's unacceptable. What happens when a bad update or a hardware failure renders your passwords inaccessible?
But I guess most people are so dull they have no choice -- it's software or 123456, otherwise their pitiful little brains will be overwhelmed.
No doubt this laziness and apathy is precisely why everyone will be chipped soon.

I have terrible memory, you insensitive clod. It has nothing to do with being lazy.

But I don't use password managers, I use an algorithm based password generator. I can recreate any password with a SHA-1 hasher.

Of course, I still have about 9 or 10 memorized passwords for important stuff (root accounts, bank, etc), but it would be completely impossible for me to remember the dozens of passwords for every random website that requires me to register.

It's not laziness, it's that the password system of authentication is fundamentally broken. You tell a person that they have to remember a long, unique, random string of characters that has no connection to anything they've done or anything about them in real life. They have to use a different one of these for each place they go to that requires a password and they have to change them frequently every few weeks/months. If you've got 10 sites you belong to and you change your password every month that's 120

Actually in that case, I grab all the weapons and ammo I have along with all the camping gear, throw it all in the small suzuki 4X4 an kill everyone at the nearest gas station so I can fill all the jerry cans I have, then drive as far north as I can to get away from civilization, find a nice hunting cabin in Canada and live there until most of society eat's it's self.

Then I can access my passwords from the thumb drive I keep in my anus.

Finally, if you use a password manager (I've been using KeePassX, it's pretty good and cross-platform), then you don't have to remember passwords anymore, so there's no reason to use a weak password for anything. I don't have any idea what most of my passwords are.

Yep. I use 1Password and have the encrypted file synced through dropbox to my iPhone and other systems. I really don't know what most of my passwords are anymore.

Yes, and it depends on the site as well. I use 111111 for newspaper sites, I have a strong password for slashdot simply because I like my user name and have excellent karma. I have an even stronger password for my computers.

And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?

As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.

What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

Yeah, I just registered an online banking account and their password requirements were 8-12 characters, no special characters.

WTF people?

But then they use security questions as a second line of defense, which is just another password, and a much longer and therefore stronger one at that (if it’s done properly – which most people don’t do, of course). Now, hopefully they’d require someone logging in from an unrecognized IP address to pass a security question...

But much less safer. My phone has a PIN you need to insert to unlock its keyboard or turn it on. Even if they steal it, they can't use it for transferring money.

You either have to leave the paper at home (meaning you won't be able to use internet backing somewhere else), or you risk much more if someone steals your wallet with it and you don't notice in time to tell the bank.

Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

When I worked for a major university a few short years ago, they contracted our paperless pay statements and W2s to Talx -- who only allowed numbers in the "password". Super frustrating, and of course no one in HR understood why I had a problem with this. They may have gotten smarter since then, but doubtful.

I have the same problem with my... bank card. In what world is a four digit password based off of ten numbers a secure method of doing business. The immediate answer is, "you have to have a passcard too" but this is no longer true since someone can walk past your wallet with a fancy phone attachment and get your number just by bumping into you to put onto their own fake card. Ah well.

The real security in bank cards is the secrecy of the algorithm. Which is probably over 20 years old by now.

If any criminal had access to the algorithm, it would of course be trivial to run through the 10000 possible options to find the pin number that goes with the stolen bank card, but fortunately in the past 20 years nobody has ever been able to bribe anyone for access to that algorithm. We're safe, guys.

Not the same problem at all. Nobody should have a copy of your bank card number, so that can be seen as part of the 'secret' number in addition to the PIN code. So you need the card as well as the PIN. If somebody steals the card number, and fakes a bank card, you have already reduced the number of people that can do this as well as increased the cost of doing it. Then you only get 3 tries before your card is locked. The best way of capturing the PIN is a fake ATM with camera to capture your pin number, and

Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.

Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.

And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.

Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.

Which is why my browser resides on a truecrypt volume, and my computer locks itself after I've been away for 2 minutes. Plus I'm in the habit of manually locking the computer when there are others around. Not really an issue.

And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.

No, you can go and manually look at the password for the site.

Your browser burps, and you're toast.

You don't do backups?

You're accessing from some other system, and you're locked out of everything.

I have a way around that, but yeah, it would be an issue for most people.

one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security

Actually having a hard password and writing it down is not such a bad idea. It's leaving the password under the keyboard that's a bad idea.

Look at this this way. That guy driving a Ferrari around town unlocks it with a key that *anyone* can use. It's reasonably safe, however, because he keeps the key in his pocket.

Of course, wallets get stolen. So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket. You choose a memorable six character password and keep it in your head. Then concatenate the two to form your working password. That's poor man's two factor security.

or maybe just use a basic cipher or memory peg for all passwords... at least, that's what I did until someone hacked all of my email addresses (but forgot to change the "I forgot my password" setting and this allowed me to regain control).

So what's harder to crack, a Secure password you've described above written on a sticky note stuck to a monitor or under a keyboard or a slightly less secure password most people can remember?

We have similar password requirements where I work only you can't reuse a password with in the last 14 passwords and it's changed every 3 months. I manage several databases, have 10 different application accounts, 3 HR accounts (for requesting time off, training and such), 3 e-mail accounts and at least four web foru

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol.
Anyhow why is the windows example being used in this article at all?

A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 second

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

You missed the point of using rainbow tables in the first place. It's not about brute force guessing a password - any system that's still vulnerable to that sort of attack should have the admin taken out and shot. It's in the case where an attacker get hold of the file containing *hashed* passwords, and want to work out what passwords correspond to those hashes (which is what happened in this case).

Windows, Linux, whatever - if a file of hashed passwords can be obtained, and those hashes aren't salted, th

The problem is rainbow tables quickly get too large to be of practical use, and take too long to generate. This fast cracking is again people banging on about old LM passwords. The old 3com/MS LanMan OS used a really weak hashing system. Passwords were limited to 14 characters in length, and were case insensitive. Further, they were stored as 2 7 character hashes. Windows versions prior to Vista stored these LM hashes by default unless you changed the security settings or used a password longer than 14 char

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol.
Anyhow why is the windows example being used in this article at all?

Right, but the issue is, they weren't cracking over an IP. They made off with a hash file. This is why system-level security is more important than user-level security. The problem isn't that the users had weak passwords, it's that Gawker's servers were compromised. Now the hackers don't have to worry about IP auth denial.

A hacker making off with a hash file is like a thief making off with your portable safe. Sure, it's fire proof and has a padlock, but he has all the time in the world now, in a safe envir

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

Any attacker worth their salt won't carry out the attack directly themselves, they'll instruct a botnet of 20,000 PCs to make 3 attempts each and log any that come back as working.

The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.

That was a rainbow table attack. A way of cracking password hashes by having all possible character combinations and their corresponding hashes in a huge precomputed table. You need access to the password hashes for that and the security system needs to be badly designed. Rainbow tables are easily defeated by using large salt values that would require the rainbow tables to be not simply huge but impossibly huge.

In addition to salting the password, I design my systems to sleep for one second after each failed password attempt, and for 3 seconds before booting the guy off. That should take care of brute force attacks.

Hash table-based password attacks depend on having access to the hashed password value; they are not used in a brute-force front-door attack. The article should have been clear about this, as it is essentially pointing out that passwords aren't safe from discovery if the password database itself has been taken, even though the password values are hashed.

From a belt-and-suspenders security viewpoint, it is reasonable to want the database of hashed password values to be secure against "reversing" the hash t

Which is extremely weak. Now I'll grant you it could be an issue: If someone gets access to your system and your SAM file and if you are running XP or earlier and if your password is 14 characters or less then there will be an LM hash. Vista or 7? No LM hash by default. Longer password? No LM hash (as LM is limited to 14 characters).

So let's say this password was on 7 instead. Ok so it is 13 characters and uses upper, lower and numeric. Surf over to Ophcrack's site and... no tables that could get it. Their

The recent Gawker hack where the entire username/password table was leaked is exactly the kind of "unrealistic attack" that you're calling "practically impossible to pull off". You don't need physical access to the system with the passwords, you just need a copy of the encypted passwords from the system to be moved onto a system that you have physical access to.

Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.

Human brains just do not generate or remember random strings very well,

If you keep your password in your brain by remembering a random string, you're either a genius or you're doing it wrong.

The brain is bad a remembering random strings, but it's excellent at remembering sequences of movements, like the one necessary to type those random strings. If you wanted to know one of my passwords, I'd have to ask you for a keyboard first.

A sequence of movements is great until you're required to change your password every 30-60 days. At which point by the time I get the sequence down so I don't need to remember the password it's changed and I have to learn a new one.

That method works well with some things, like phone numbers. I can't remember my wife's cell number so I have an excuse not to give it out to people, but I can still dial it when I have to call her.

I use a movement sequence, and change my starting key when I need to change my password on a "schedule". All I need to remember is what key to start on. I have six different movement sequences that I use depending on what account it is, and have never had trouble keeping them separate. Then again, I also remember all phone numbers as movement sequences, and need to look at a keypad to tell people what my own phone number is.

Also, it makes using the ipod screen-keyboard to log into anything really annoyin

Likewise. Back before I started using a password generation/management tool, I produced and memorized my passwords by trying "1337" variations of misspelled words (ones that wouldn't be in a dictionary) with some special characters mixed in somewhat randomly until I found a sequence that was easy to type and "felt" right as I typed it. I'd then toss in camel-cased capitalization based on when it was natural for my hands to hit the Shift key, rather than picking them arbitrarily. There were a few legitimate

PIN number for debit cards are only 4 digits and they work pretty well. The problem doesn't seem to be the password but the system that allows too many automatic tries. There's a problem with denial of service, but there are solutions for that....

Is to think of a sentence that has letters and numbers - and then take the first letter of each word and all the numbers.

Ex: My best friend Joseph was born on the 15th of December = MbfJwbot15oD. Mixed letters and numbers of different cases - and its pretty easy to remember.-What you could also try I guess is to get some sort of hash+salt - type in your password, and use that hash of the password as your password (which will also get rehashed). Bit hard on computer

I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.

Someone who uses:
mysecr1tword4gawker.comfor fun and
mysecr1tword4mybank.comfor their bank isn't that much safer than if they had just used the same password for both.

Much better to use throwaway ones for sites like gawker; and truly random ones for banking.

IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.

Why is that algorithm a bad idea? It is certainly safer than using the same password for both. Bonus points if you add other algorithmic goodness (capitalize the 2nd vowel in the site name, replace the third letter with a number, etc...).
Look, I need a password to log into my bank. My newspaper. My email. My blog. My kid's school. I actively use dozens of passwords. Algorithms like this are certainly no worse than writing everything down, and are certainly better than using the same password for everythin

"Why is Ophcrack so fast? Because it uses Rainbow Tables.....If you've salted your password hashes, an attacker can't use a rainbow table attack against you-"

In other words, any service with 1/10 of a brain will salt their passwords and be immune. They are also only vulnerable if they let their system get hacked and database stolen.

In other words its the same classic trade off as ever: you have to trust the person who runs the service to know what they are doing with your password. But if they do know what they are doing, then you shouldn't have to worry.

Absolutely! A co-worker of mine has been using it and stated that it worked well for him. After these recent break-ins, I decided to sign up for LastPass. I wen through all the websites I use on a regular basis and used LastPass' password generator to generate secure passwords for each. I feel much safer now knowing all my passwords are extremely strong. While the free service should suffice most of your needs, I signed up for the premium service ($12/year) to get the mobile app for my phone.

I use Keepass to maintain all of my passwords. It's open-source and encrypted using AES 256. I save the password database on Dropbox, which keeps an updated copy available on all of my computers. The only problem is that I cannot login to the websites on public computers, but I think that's an added security bonus. I have my Blackberry with me to check my email, which is what I really need to check on the road.

Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.

With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...

After Gawker got hacked I changed my duplicate passwords and made most of them unique or variants on a theme. So all of them stronger and over 10 chars in length. But I got to thinking that probably I should be bothering nearly as much about choosing password variants for throwaways because I'll never remember them all. I think for forums / chat boards it would suffice to just take the domain name (e.g. gawker) and append it to a fairly strong throwaway password shared everywhere. For example say my throwaw

Having spent a few years working for a company that dealt with files from Asia on a daily basis, it strikes me as odd that more sites don't allow unicode characters. Adding a single Chinese or Arabic character to the password is enough to force most cracking utilities *even when you have the machine in your hands* to have to resort to brute-force measures that can take days. What's awful, though, is how sites restrict you to A-Z and 0-9 98% of the time, which defeats the entire reason for a password. I suspect that they want to be able to maybe crack it themselves in case they feel the need to do so. Because 10 characters max, with a simple 36 character ASCII limit is going to be cracked exactly as it was in the example.

It's the old obscure OS trick. If you are using an operating system that the hackers commands mean nothing to, you are secure. I know of a few people who run email servers(as an example) that use very obscure and old operating systems that no botnet or hacker is designed or has the knowledge any more to deal with. One friend a few years ago was using an old A/UX Macintosh as a router, precisely because the ability to remotely hack the code was essentially zero.(while there were easy ways ten years ago, everyone has forgotten them by now) If you can find a book on how to program some of these obscure OSs, good luck to you. If you want to really go crazy, run OpenVMS on your mail server. And watch anyone who gets into the system have a fit trying to take over. (I suppose there are some people who can, but criminals are lazy and I suspect less than 1% of people here on slashdot even have used OpenVMS in their lifetime)

While that's not usually workable, though, for modern computers, it IS easy to do with Unicode, since the latest version covers 109.000 characters. Figuring out what characters you used would probably take a cracker just to figure out a simple 2 character combination. It's just not something that the botnets are (currently) equipped to deal with.(though I suspect that they do check for simplified Chinese and Japanese and similar characters - the trick would be to pick something obscure like Sandscrit or another ancient language.

And that's assuming they don't allow Unicode. Most websites will let my browser save the password, and a few others, I can copy it from a text file. On the very rare occasions a website insists I type the password every time, and I'm too lazy to work around it, I do this:

gpw

Then, just add some numbers that mean something to me, though after a week or so, I'll have memorized them -- so the next time I need one, there'll be other relevant numbers.

At this point, I never sign up for a new service with the same password I use anywhere else. I don't want to make it easy for someone else to crack my Slashdot account, for instance, but that's no reason to trust Slashdot with my PayPal password, or vice versa. TFA is moronic -- it's not about "lousy" passwords, it's about limiting the scope of passwords, and this isn't new. This time, the site in question didn't use salt. What if they'd actually been malicious?

Presuming it was working the way you wanted before, log out, delete all your SlashDot cookies, then log back in. I have to do that every couple of months since the CSS makeover. Last time I was horrified to see Facebook "like" icons! *shudder*

And you might also try what I suggested to metrix007 in my other comment, next time/. breaks, if it’s a recurring problem for you. I had something screwy with my account that your method didn’t fix, and none of the controls in the D2 system would fix (that/my/comments page isn’t accessible from within D2).

speaking of adblock, (and yes, this is somewhat offtopic, and if someone wants to waste mod points on a nested comment so far down, kudos to you), have you noticed that more ads seem to be getting through on Chrome lately? Is this a "feature" of the browser or is this isolated to me (likely user error or some such)?